Uber fined over UK data breach

The company made a series of 'avoidable data security flaws', the ICO says.

Shares

Uber was fined £385,000 by the Information Commissioner's Office (ICO) for failing to protect user data. The news was confirmed by the ICO itself, saying the company made a series of 'avoidable data security flaws', which allowed for the data breach.

A total of 2.7 million UK customers have had their data compromised, including names, email addresses and phone numbers. The attack also affected drivers – 82,000 of them have had their details exposed, which includes where they had driven, and how much they were paid for the fare.

Uber was also quiet on the matter and instead of notifying its customers, it had paid the attackers $100,000 to destroy the data.

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” ICO Director of Investigations Steve Eckersley said. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

The attack occurred in October and November 2016.

The ICO had fined Uber based on the Data Protection Act of 1998, as the data breach itself occurred before GDPR kicked in last May. Had it been after GDPR, the fine would have probably been much, much larger.

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack,” he added.

“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”